CVE-2021-38136
Description
Corero SecureWatch Managed Services 9.7.2.0020 is affected by a Path Traversal vulnerability via the snap_file parameter in the /it-IT/splunkd/__raw/services/get_snapshot HTTP API endpoint. A ‘low privileged’ attacker can read any file on the target host.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Corero SecureWatch Managed Services 9.7.2.0020 contains a path traversal vulnerability in the get_snapshot API endpoint, allowing low-privileged attackers to read arbitrary files on the host.
Vulnerability
Corero SecureWatch Managed Services version 9.7.2.0020 is affected by a path traversal vulnerability in the /it-IT/splunkd/__raw/services/get_snapshot HTTP API endpoint. The snap_file parameter is used to construct a file path without sanitization, as seen in the snapshotHandler.py script located at /opt/splunk/etc/apps/securewatch_analytics_tdd/bin/snapshot_handler/. The handler prepends /corero/snapshots/ to the user-supplied value and opens the resulting path [1]. This allows an attacker to traverse directories and read any file on the target host.
Exploitation
An attacker with low-privileged access (e.g., a user with the swa-monitor role) can exploit this by sending a crafted HTTP GET request to the vulnerable endpoint. The snap_file parameter is set to a path traversal sequence such as ../../etc/passwd to escape the base directory. The request is processed by the GetSnapshot handler, which reads and returns the file content in the HTTP response [1]. No additional authentication or user interaction beyond the low-privileged session is required.
Impact
Successful exploitation allows the attacker to read arbitrary files on the target host, including sensitive configuration files, credentials, and other data. This leads to information disclosure, potentially compromising the confidentiality of the system and enabling further attacks. The attacker does not gain write access or code execution, but the ability to read any file can expose critical secrets [1].
Mitigation
As of the publication date (2021-08-06), no official patch or fixed version has been announced by Corero. The vulnerability exists in version 9.7.2.0020; users should contact Corero for updates or consider restricting access to the vulnerable endpoint via network controls. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Corero/SecureWatch Managed Servicesdescription
- Range: =9.7.2.0020
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `snap_file` parameter allows path traversal out of the intended `/corero/snapshots/` directory."
Attack vector
An attacker with low-privileged credentials (the `swa-monitor` role) sends an HTTP GET request to `/it-IT/splunkd/__raw/services/get_snapshot` with a `snap_file` parameter containing path-traversal sequences (e.g., `../../../../../../../../../../etc/shadow`). The server concatenates this unsanitized input with the base directory `/corero/snapshots/` and returns the contents of the traversed file in the HTTP response [ref_id=1]. No authentication bypass or additional privileges beyond `swa-monitor` are required.
Affected code
The vulnerable file is `/opt/splunk/etc/apps/securewatch_analytics_tdd/bin/snapshot_handler/snapshotHandler.py`, reachable via the HTTP endpoint `/it-IT/splunkd/__raw/services/get_snapshot`. The `GetSnapshot` class (extending `splunk.rest.BaseRestHandler`) reads the `snap_file` query parameter without any sanitization and concatenates it directly with the base path `/corero/snapshots/` [ref_id=1].
What the fix does
The advisory states that Corero fixed the vulnerability in SecureWatch Managed Services version 9.7.5, released on 09/12/2020 [ref_id=1]. No patch diff is provided in the bundle, so the exact code change is unknown; however, the remediation would require sanitizing the `snap_file` parameter to reject path-traversal sequences (e.g., `../`) or to validate that the resolved path stays within the intended `/corero/snapshots/` directory. Users should upgrade to version 9.7.5 or later.
Preconditions
- authAttacker must possess a valid account with the 'swa-monitor' role on the Corero SecureWatch appliance.
- networkThe target endpoint /it-IT/splunkd/__raw/services/get_snapshot must be network-accessible to the attacker.
- inputThe snap_file query parameter is accepted without sanitization, allowing path-traversal sequences.
Reproduction
1. Log in to the Corero Firewall with a user that has `swa-monitor` privileges. 2. Visit the following URL (replace `$host` with the target hostname or IP): `https://$host/it-IT/splunkd/__raw/services/get_snapshot?snap_file=../../../../../../../../../../etc/shadow` 3. Observe the content of the `/etc/shadow` file in the server response [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.corero.com/blog/data-sheets-corero-securewatch-managed-services/mitrex_refsource_MISC
- www.shielder.it/advisories/corero_secure_watch_managed_services-get_snapshot-path-traversal/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.